You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2003/05/08 17:21:53 UTC
DO NOT REPLY [Bug 19767] New: -
Digest authentication doesn't work with JDBCRealm
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=19767>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=19767
Digest authentication doesn't work with JDBCRealm
Summary: Digest authentication doesn't work with JDBCRealm
Product: Tomcat 4
Version: 4.1.24
Platform: PC
OS/Version: Windows NT/2K
Status: NEW
Severity: Normal
Priority: Other
Component: Catalina
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: sradicchio@hotmail.com
PROBLEM
Configuring <auth-method>DIGEST</auth-method> for a web application using
JDBCRealm doesn't work.
Is not possible to authenticate users.
ANALYSIS
Debugging source code of org.apache.catalina.realm.JDBCRealm class I noticed:
1) the method
authenticate(String username, String clientDigest,
String nOnce, String nc, String cnonce,
String qop, String realm,
String md5a2)
of the class org.apache.catalina.realm.RealmBase
calculates the md5a1 value calling the method
getDigest(String username, String realmName)
of the same class
2) the method
getDigest(String username, String realmName)
calculates the md5a1 value getting the user password from the method
getPassword(String username)
of the org.apache.catalina.realm.JDBCRealm class
In this algorithm there are two problems:
- getPassword() must return the cleartext password, so you have to save it
somewhere in clear
- at the moment getPassword() is not implemented and always returns null
3) if you implement getPassword(), the method authenticate() still returns null
because it tries to get the Principal calling the method
getPrincipal(String username)
of the org.apache.catalina.realm.JDBCRealm class
but at the moment this method is not implemented and always returns null
SOLUTION
I think there are two main things to solve:
- implement getPassword() and getPrincipal() in the JDBCRealm class
- provide the possibility to save on the DB not the cleartext password but the
md5a1 value
(the md5a1 value is the digest of the following string: username + realmname +
password)
COMMENTS
At the end you should decide to use 4 different configurations:
1) <auth-method>BASIC and DB with cleartext pwd (working)
2) <auth-method>BASIC and DB with digest of pwd (working)
Main limits of this solution are:
. password sent in clear on the network
. on the DB : if pwdA = pwdB then digestA = digestB
3) <auth-method>DIGEST and DB with cleartext pwd (not working)
. you have only to implement getPassword() and getPrincipal in class
org.apache.catalina.realm.JDBCRealm
4) <auth-method>DIGEST and DB with md5a1 (not working)
. you have to modify the getDigest() method in class
org.apache.catalina.realm.RealmBase providing the chance to get this value
directly from the DB
Bye
Giovanni
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org